From: Zheng Wang <zyytlz.wz@163.com>
[ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ]
In btsdio_probe, the data->work is bound with btsdio_work. It will be
started in btsdio_send_frame.
If the btsdio_remove runs with a unfinished work, there may be a race
condition that hdev is freed but used in btsdio_work. Fix it by
canceling the work before do cleanup in btsdio_remove.
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c
index 795be33f2892..f19d31ee37ea 100644
--- a/drivers/bluetooth/btsdio.c
+++ b/drivers/bluetooth/btsdio.c
@@ -357,6 +357,7 @@ static void btsdio_remove(struct sdio_func *func)
if (!data)
return;
+ cancel_work_sync(&data->work);
hdev = data->hdev;
sdio_set_drvdata(func, NULL);
--
2.35.6On Wed, Sep 06, 2023 at 05:45:25PM +0530, Deepak Rathore wrote:
> From: Zheng Wang <zyytlz.wz@163.com>
>
> [ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ]
>
> In btsdio_probe, the data->work is bound with btsdio_work. It will be
> started in btsdio_send_frame.
>
> If the btsdio_remove runs with a unfinished work, there may be a race
> condition that hdev is freed but used in btsdio_work. Fix it by
> canceling the work before do cleanup in btsdio_remove.
>
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Signed-off-by: Deepak Rathore <deeratho@cisco.com>
Meta-comment, are you SURE you want this applied? If so, why was it
reverted upstream in 6.4 in commit db2bf510bd5d ("Revert "Bluetooth:
btsdio: fix use after free bug in btsdio_remove due to unfinished
work"")
What testing did you do that determined this should be added to the
tree? How did you come up with just this one commit to be requested to
be applied to just this one branch?
thanks,
greg k-h-
-----Original Message-----
From: Greg KH <gregkh@linuxfoundation.org>
Sent: Monday, September 11, 2023 1:56 AM
To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) <deeratho@cisco.com>
Cc: stable@vger.kernel.org; linux-kernel@vger.kernel.org
Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
On Wed, Sep 06, 2023 at 05:45:25PM +0530, Deepak Rathore wrote:
> From: Zheng Wang <zyytlz.wz@163.com>
>
> [ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ]
>
> In btsdio_probe, the data->work is bound with btsdio_work. It will be
> started in btsdio_send_frame.
>
> If the btsdio_remove runs with a unfinished work, there may be a race
> condition that hdev is freed but used in btsdio_work. Fix it by
> canceling the work before do cleanup in btsdio_remove.
>
> Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Signed-off-by: Deepak Rathore <deeratho@cisco.com>
> Meta-comment, are you SURE you want this applied? If so, why was it reverted upstream in 6.4 in commit db2bf510bd5d ("Revert "Bluetooth:
> btsdio: fix use after free bug in btsdio_remove due to unfinished
> work"")
> What testing did you do that determined this should be added to the tree? How did you come up with just this one commit to be requested to be applied to just this one branch?
> thanks,
> greg k-h-
Hi Greg,
Yes. I am sure that this fix should be applied to v6.1 stable branch. Our CVERT tool reported kernel CVE CVE-2023-1989 on v6.1 kernel and this fix is also missing in upstream kernel v6.1 as well.
In the reverted upstream commit db2bf510bd5d ("Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work""), it is clearly mentioned that this commit db2bf510bd5d is causing null-ptr-def problem and fixed bug by this patch have resolved by another commit 73f7b171b7c0. I have backported same commit 73f7b171b7c0 and sent this for review. Please see the below commit message of commit db2bf510bd5d:
git show db2bf510bd5d
commit db2bf510bd5d57f064d9e1db395ed86a08320c54
Author: Liu Jian <liujian56@huawei.com>
Date: Fri Apr 14 18:30:06 2023 +0800
Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work"
This reverts commit 1e9ac114c4428fdb7ff4635b45d4f46017e8916f.
This patch introduces a possible null-ptr-def problem. Revert it. And the
fixed bug by this patch have resolved by commit 73f7b171b7c0 ("Bluetooth:
btsdio: fix use after free bug in btsdio_remove due to race condition").
Fixes: 1e9ac114c442 ("Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work")
Signed-off-by: Liu Jian <liujian56@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
After backporting, I have verified the compilation of x86 architecture at my end and it is success.
- Deepak
On Mon, Sep 11, 2023 at 01:17:47PM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote:
> -----Original Message-----
> From: Greg KH <gregkh@linuxfoundation.org>
> Sent: Monday, September 11, 2023 1:56 AM
> To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) <deeratho@cisco.com>
> Cc: stable@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
>
> On Wed, Sep 06, 2023 at 05:45:25PM +0530, Deepak Rathore wrote:
> > From: Zheng Wang <zyytlz.wz@163.com>
> >
> > [ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ]
> >
> > In btsdio_probe, the data->work is bound with btsdio_work. It will be
> > started in btsdio_send_frame.
> >
> > If the btsdio_remove runs with a unfinished work, there may be a race
> > condition that hdev is freed but used in btsdio_work. Fix it by
> > canceling the work before do cleanup in btsdio_remove.
> >
> > Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > Signed-off-by: Deepak Rathore <deeratho@cisco.com>
>
> > Meta-comment, are you SURE you want this applied? If so, why was it reverted upstream in 6.4 in commit db2bf510bd5d ("Revert "Bluetooth:
> > btsdio: fix use after free bug in btsdio_remove due to unfinished
> > work"")
>
> > What testing did you do that determined this should be added to the tree? How did you come up with just this one commit to be requested to be applied to just this one branch?
>
> > thanks,
>
> > greg k-h-
>
> Hi Greg,
>
> Yes. I am sure that this fix should be applied to v6.1 stable branch. Our CVERT tool reported kernel CVE CVE-2023-1989 on v6.1 kernel and this fix is also missing in upstream kernel v6.1 as well.
I have no idea what a CVERT tool is, only that you can almost guarantee
that it will not work well for kernel cves given the way that cves are
broken for the kernel. But good luck with it! :)
> In the reverted upstream commit db2bf510bd5d ("Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work""), it is clearly mentioned that this commit db2bf510bd5d is causing null-ptr-def problem and fixed bug by this patch have resolved by another commit 73f7b171b7c0. I have backported same commit 73f7b171b7c0 and sent this for review. Please see the below commit message of commit db2bf510bd5d:
So, can you verify that the latest 6.1.y released kernel is correct now?
thanks,
greg k-h
On Wed, Sep 06, 2023 at 05:45:25PM +0530, Deepak Rathore wrote: > From: Zheng Wang <zyytlz.wz@163.com> > > [ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ] > > In btsdio_probe, the data->work is bound with btsdio_work. It will be > started in btsdio_send_frame. > > If the btsdio_remove runs with a unfinished work, there may be a race > condition that hdev is freed but used in btsdio_work. Fix it by > canceling the work before do cleanup in btsdio_remove. > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > Signed-off-by: Deepak Rathore <deeratho@cisco.com> > What tree(s) are you wanting this applied to? thanks, greg k-h
Hi Greg, I want to merge this change into v6.1.52 stable kernel version. I have added these details in my patch subject message. Sorry for inconvenience. Thanks & Regards, Deepak -----Original Message----- From: Greg KH <gregkh@linuxfoundation.org> Sent: Thursday, September 7, 2023 3:47 PM To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) <deeratho@cisco.com> Cc: stable@vger.kernel.org; linux-kernel@vger.kernel.org Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition On Wed, Sep 06, 2023 at 05:45:25PM +0530, Deepak Rathore wrote: > From: Zheng Wang <zyytlz.wz@163.com> > > [ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ] > > In btsdio_probe, the data->work is bound with btsdio_work. It will be > started in btsdio_send_frame. > > If the btsdio_remove runs with a unfinished work, there may be a race > condition that hdev is freed but used in btsdio_work. Fix it by > canceling the work before do cleanup in btsdio_remove. > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > Signed-off-by: Deepak Rathore <deeratho@cisco.com> > What tree(s) are you wanting this applied to? thanks, greg k-h
Hi Greg, I just saw that v6.1.52 is merged and released so can we consider this patch for v6.1.53 for v6.1 kernel. Thanks & Regards, Deepak -----Original Message----- From: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) Sent: Friday, September 8, 2023 9:48 AM To: Greg KH <gregkh@linuxfoundation.org> Cc: stable@vger.kernel.org; linux-kernel@vger.kernel.org Subject: RE: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition Hi Greg, I want to merge this change into v6.1.52 stable kernel version. I have added these details in my patch subject message. Sorry for inconvenience. Thanks & Regards, Deepak -----Original Message----- From: Greg KH <gregkh@linuxfoundation.org> Sent: Thursday, September 7, 2023 3:47 PM To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) <deeratho@cisco.com> Cc: stable@vger.kernel.org; linux-kernel@vger.kernel.org Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition On Wed, Sep 06, 2023 at 05:45:25PM +0530, Deepak Rathore wrote: > From: Zheng Wang <zyytlz.wz@163.com> > > [ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ] > > In btsdio_probe, the data->work is bound with btsdio_work. It will be > started in btsdio_send_frame. > > If the btsdio_remove runs with a unfinished work, there may be a race > condition that hdev is freed but used in btsdio_work. Fix it by > canceling the work before do cleanup in btsdio_remove. > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > Signed-off-by: Deepak Rathore <deeratho@cisco.com> > What tree(s) are you wanting this applied to? thanks, greg k-h
On Fri, Sep 08, 2023 at 06:06:32AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote: > Hi Greg, > > I just saw that v6.1.52 is merged and released so can we consider this patch for v6.1.53 for v6.1 kernel. What patch exactly? confused, greg k-h
Hi Greg, This change is required to fix kernel CVE: CVE-2023-1989 which is reported in v6.1 kernel version. It is fixed in upstream starting from v6.3 kernel version and required to fix in 6.1 kernel version as well so we have backported this from v6.3 kernel version to v6.1 and I have sent this patch for review and merging. Regards, Deepak -----Original Message----- From: Greg KH <gregkh@linuxfoundation.org> Sent: Friday, September 8, 2023 12:19 PM To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) <deeratho@cisco.com> Cc: stable@vger.kernel.org; linux-kernel@vger.kernel.org Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition On Fri, Sep 08, 2023 at 06:06:32AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote: > Hi Greg, > > I just saw that v6.1.52 is merged and released so can we consider this patch for v6.1.53 for v6.1 kernel. What patch exactly? confused, greg k-h
A: http://en.wikipedia.org/wiki/Top_post Q: Were do I find info about this thing called top-posting? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? A: No. Q: Should I include quotations after my reply? http://daringfireball.net/2007/07/on_top On Fri, Sep 08, 2023 at 06:54:06AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote: > Hi Greg, > > This change is required to fix kernel CVE: CVE-2023-1989 which is > reported in v6.1 kernel version. Which change? > It is fixed in upstream starting from v6.3 kernel version and required > to fix in 6.1 kernel version as well so we have backported this from > v6.3 kernel version to v6.1 and I have sent this patch for review and > merging. Again, what commit are you referring to here. confused, greg k-h
-----Original Message-----
From: Greg KH <gregkh@linuxfoundation.org>
Sent: Friday, September 8, 2023 12:39 PM
To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) <deeratho@cisco.com>
Cc: stable@vger.kernel.org; linux-kernel@vger.kernel.org
Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
> A: http://en.wikipedia.org/wiki/Top_post
> Q: Were do I find info about this thing called top-posting?
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> A: Top-posting.
> Q: What is the most annoying thing in e-mail?
> A: No.
> Q: Should I include quotations after my reply?
> http://daringfireball.net/2007/07/on_top
On Fri, Sep 08, 2023 at 06:54:06AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote:
> Hi Greg,
>
> This change is required to fix kernel CVE: CVE-2023-1989 which is
> reported in v6.1 kernel version.
> Which change?
[Deepak]: I am referring below change. This below change is required to fix kernel CVE: CVE-2023-1989 which is reported in v6.1 kernel.
Subject: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
From: Zheng Wang <zyytlz.wz@163.com>
[ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ]
In btsdio_probe, the data->work is bound with btsdio_work. It will be started in btsdio_send_frame.
If the btsdio_remove runs with a unfinished work, there may be a race condition that hdev is freed but used in btsdio_work. Fix it by canceling the work before do cleanup in btsdio_remove.
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Deepak Rathore <deeratho@cisco.com>
diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c index 795be33f2892..f19d31ee37ea 100644
--- a/drivers/bluetooth/btsdio.c
+++ b/drivers/bluetooth/btsdio.c
@@ -357,6 +357,7 @@ static void btsdio_remove(struct sdio_func *func)
if (!data)
return;
+ cancel_work_sync(&data->work);
hdev = data->hdev;
sdio_set_drvdata(func, NULL);
--
2.35.6
> It is fixed in upstream starting from v6.3 kernel version and required
> to fix in 6.1 kernel version as well so we have backported this from
> v6.3 kernel version to v6.1 and I have sent this patch for review and
> merging.
> Again, what commit are you referring to here.
> confused,
> greg k-h
[Deepak]: Sorry for the inconvenience that my message did not provide all the details.
The kernel CVE: CVE-2023-1989 is fixed in upstream with this commit: https://github.com/torvalds/linux/commit/73f7b171b7c09139eb3c6a5677c200dc1be5f318
Starting from v6.3 kernel and we have to fix this in 6.1 kernel as well, so we have backported this from v6.3 kernel version to v6.1 kernel.
Regards,
DeepakOn Sat, Sep 09, 2023 at 08:49:52AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote: > -----Original Message----- > From: Greg KH <gregkh@linuxfoundation.org> > Sent: Friday, September 8, 2023 12:39 PM > To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) <deeratho@cisco.com> > Cc: stable@vger.kernel.org; linux-kernel@vger.kernel.org > Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition > > > A: http://en.wikipedia.org/wiki/Top_post > > Q: Were do I find info about this thing called top-posting? > > A: Because it messes up the order in which people normally read text. > > Q: Why is top-posting such a bad thing? > > A: Top-posting. > > Q: What is the most annoying thing in e-mail? > > > A: No. > > Q: Should I include quotations after my reply? > > > > http://daringfireball.net/2007/07/on_top > > On Fri, Sep 08, 2023 at 06:54:06AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote: > > Hi Greg, > > > > This change is required to fix kernel CVE: CVE-2023-1989 which is > > reported in v6.1 kernel version. > > > Which change? > > [Deepak]: I am referring below change. This below change is required to fix kernel CVE: CVE-2023-1989 which is reported in v6.1 kernel. > > Subject: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition > > From: Zheng Wang <zyytlz.wz@163.com> > > [ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ] This commit is already in the 6.1.52 kernel release, why do you want it included again? confused, greg k-h
-----Original Message----- From: Greg KH <gregkh@linuxfoundation.org> Sent: Saturday, September 9, 2023 5:17 PM To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) <deeratho@cisco.com> Cc: stable@vger.kernel.org; linux-kernel@vger.kernel.org Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition On Sat, Sep 09, 2023 at 08:49:52AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote: > -----Original Message----- > From: Greg KH <gregkh@linuxfoundation.org> > Sent: Friday, September 8, 2023 12:39 PM > To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) > <deeratho@cisco.com> > Cc: stable@vger.kernel.org; linux-kernel@vger.kernel.org > Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free > bug in btsdio_remove due to race condition > > > A: http://en.wikipedia.org/wiki/Top_post > > Q: Were do I find info about this thing called top-posting? > > A: Because it messes up the order in which people normally read text. > > Q: Why is top-posting such a bad thing? > > A: Top-posting. > > Q: What is the most annoying thing in e-mail? > > > A: No. > > Q: Should I include quotations after my reply? > > > > http://daringfireball.net/2007/07/on_top > > On Fri, Sep 08, 2023 at 06:54:06AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote: > > Hi Greg, > > > > This change is required to fix kernel CVE: CVE-2023-1989 which is > > reported in v6.1 kernel version. > > > Which change? > > [Deepak]: I am referring below change. This below change is required to fix kernel CVE: CVE-2023-1989 which is reported in v6.1 kernel. > > Subject: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in > btsdio_remove due to race condition > > From: Zheng Wang <zyytlz.wz@163.com> > > [ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ] > This commit is already in the 6.1.52 kernel release, why do you want it included again? > confused, > greg k-h Hi Greg, Salvatore, When I have submitted this patch for review, at that time, 6.1.52 was not released. It will be good if you can share me guideline or details like how I can share CVE fix patch to upstream for review like what details I need to include in patch for review so from next time, we can save time in query discussion. Regards, Deepak
On Sun, Sep 10, 2023 at 06:25:22AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote:
> -----Original Message-----
> From: Greg KH <gregkh@linuxfoundation.org>
> Sent: Saturday, September 9, 2023 5:17 PM
> To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) <deeratho@cisco.com>
> Cc: stable@vger.kernel.org; linux-kernel@vger.kernel.org
> Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
>
> On Sat, Sep 09, 2023 at 08:49:52AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote:
> > -----Original Message-----
> > From: Greg KH <gregkh@linuxfoundation.org>
> > Sent: Friday, September 8, 2023 12:39 PM
> > To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco)
> > <deeratho@cisco.com>
> > Cc: stable@vger.kernel.org; linux-kernel@vger.kernel.org
> > Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free
> > bug in btsdio_remove due to race condition
> >
> > > A: http://en.wikipedia.org/wiki/Top_post
> > > Q: Were do I find info about this thing called top-posting?
> > > A: Because it messes up the order in which people normally read text.
> > > Q: Why is top-posting such a bad thing?
> > > A: Top-posting.
> > > Q: What is the most annoying thing in e-mail?
> >
> > > A: No.
> > > Q: Should I include quotations after my reply?
> >
> >
> > > http://daringfireball.net/2007/07/on_top
> >
> > On Fri, Sep 08, 2023 at 06:54:06AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote:
> > > Hi Greg,
> > >
> > > This change is required to fix kernel CVE: CVE-2023-1989 which is
> > > reported in v6.1 kernel version.
> >
> > > Which change?
> >
> > [Deepak]: I am referring below change. This below change is required to fix kernel CVE: CVE-2023-1989 which is reported in v6.1 kernel.
> >
> > Subject: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in
> > btsdio_remove due to race condition
> >
> > From: Zheng Wang <zyytlz.wz@163.com>
> >
> > [ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ]
>
> > This commit is already in the 6.1.52 kernel release, why do you want it included again?
>
> > confused,
>
> > greg k-h
>
> Hi Greg, Salvatore,
>
> When I have submitted this patch for review, at that time, 6.1.52 was not released.
>
> It will be good if you can share me guideline or details like how I
> can share CVE fix patch to upstream for review like what details I
> need to include in patch for review so from next time, we can save
> time in query discussion.
Why does the random assignment of a CVE number mean anything should be
done differently than the normal process of getting a stable patch
merged?
You have read:
https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
right?
That should cover it.
thanks,
greg k-h
On Sat, Sep 09, 2023 at 08:49:52AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote: > -----Original Message----- > From: Greg KH <gregkh@linuxfoundation.org> > Sent: Friday, September 8, 2023 12:39 PM > To: Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) <deeratho@cisco.com> > Cc: stable@vger.kernel.org; linux-kernel@vger.kernel.org > Subject: Re: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition > > > A: http://en.wikipedia.org/wiki/Top_post > > Q: Were do I find info about this thing called top-posting? > > A: Because it messes up the order in which people normally read text. > > Q: Why is top-posting such a bad thing? > > A: Top-posting. > > Q: What is the most annoying thing in e-mail? > > > A: No. > > Q: Should I include quotations after my reply? > > > > http://daringfireball.net/2007/07/on_top > > On Fri, Sep 08, 2023 at 06:54:06AM +0000, Deepak Rathore -X (deeratho - E-INFO CHIPS INC at Cisco) wrote: > > Hi Greg, > > > > This change is required to fix kernel CVE: CVE-2023-1989 which is > > reported in v6.1 kernel version. > > > Which change? > > [Deepak]: I am referring below change. This below change is required to fix kernel CVE: CVE-2023-1989 which is reported in v6.1 kernel. > > Subject: [v6.1.52][PATCH] Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition > > From: Zheng Wang <zyytlz.wz@163.com> > > [ Upstream commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 ] > > In btsdio_probe, the data->work is bound with btsdio_work. It will be started in btsdio_send_frame. > > If the btsdio_remove runs with a unfinished work, there may be a race condition that hdev is freed but used in btsdio_work. Fix it by canceling the work before do cleanup in btsdio_remove. > > Signed-off-by: Zheng Wang <zyytlz.wz@163.com> > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > Signed-off-by: Deepak Rathore <deeratho@cisco.com> > > diff --git a/drivers/bluetooth/btsdio.c b/drivers/bluetooth/btsdio.c index 795be33f2892..f19d31ee37ea 100644 > --- a/drivers/bluetooth/btsdio.c > +++ b/drivers/bluetooth/btsdio.c > @@ -357,6 +357,7 @@ static void btsdio_remove(struct sdio_func *func) > if (!data) > return; > > + cancel_work_sync(&data->work); > hdev = data->hdev; > > sdio_set_drvdata(func, NULL); > -- > 2.35.6 > > > > It is fixed in upstream starting from v6.3 kernel version and required > > to fix in 6.1 kernel version as well so we have backported this from > > v6.3 kernel version to v6.1 and I have sent this patch for review and > > merging. > > > Again, what commit are you referring to here. > > > confused, > > > greg k-h > > [Deepak]: Sorry for the inconvenience that my message did not provide all the details. > The kernel CVE: CVE-2023-1989 is fixed in upstream with this commit: https://github.com/torvalds/linux/commit/73f7b171b7c09139eb3c6a5677c200dc1be5f318 > Starting from v6.3 kernel and we have to fix this in 6.1 kernel as well, so we have backported this from v6.3 kernel version to v6.1 kernel. This change was already backported to 6.1.y and released in v6.1.52? It is commit 179c65828593aff1f444e15debd40a477cb23cf4 . Regards, Salvatore
© 2016 - 2025 Red Hat, Inc.